cmd: elf: Prevent possible buffer overflow

In do_bootvx the environment variable 'bootdev' is fetched and copied
into a buffer without confirming that it will not overflow that buffer.
Use strlcpy to ensure that the buffer will not be overflowed.

This issue was found by Smatch.

Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>

diff --git a/cmd/elf.c b/cmd/elf.c
index 5e0ee30a7c86944cfad8882b01fe22a8e1909597..53ec193aaa633486464885c303ce88a7aa6b55cb 100644 (file)
--- a/cmd/elf.c
+++ b/cmd/elf.c
@@ -21,6 +21,8 @@
 #include <linux/linkage.h>
 #endif
 
+#define BOOTLINE_BUF_LEN 128
+
 /* Interpreter command to boot an arbitrary ELF image from memory */
 int do_bootelf(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[])
 {
@@ -114,7 +116,7 @@ int do_bootvx(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[])
        unsigned long bootaddr = 0; /* Address to put the bootline */
        char *bootline; /* Text of the bootline */
        char *tmp; /* Temporary char pointer */
-       char build_buf[128]; /* Buffer for building the bootline */
+       char build_buf[BOOTLINE_BUF_LEN]; /* Buffer for building the bootline */
        int ptr = 0;
 #ifdef CONFIG_X86
        ulong base;
@@ -226,7 +228,7 @@ int do_bootvx(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[])
        if (!bootline) {
                tmp = env_get("bootdev");
                if (tmp) {
-                       strcpy(build_buf, tmp);
+                       strlcpy(build_buf, tmp, BOOTLINE_BUF_LEN);
                        ptr = strlen(tmp);
                } else {
                        printf("## VxWorks boot device not specified\n");